Juniper Networks fixes Junos OS flaws

Four critical security vulnerabilities impacting all Juniper Networks Junos OS versions on SRX and EX Series, which could be chained to facilitate remote code execution, have been addressed in an "out-of-cycle" update, The Hacker News reports. Included in the fixed flaws, which have been identified within the operating system's J-Web component, are PHP external variable modification bugs, tracked as CVE-2023-36844 and CVE-2023-36845, which could be leveraged to enable the takeover of particular environment variables by unauthenticated network-based attackers, as well as missing authentication for critical function flaws, tracked as CVE-2023-36846 and CVE-2023-36847, which could be exploited to allow limited file system integrity impact. Successful exploitation requires alteration of certain PHP environment variables or arbitrary file uploads through J-Web, according to Juniper Networks, which urged the immediate application of the update. Organizations leveraging vulnerable OS instances have also been advised to restrict access or disable J-Web as workarounds to mitigate possible RCE attacks.